Ecosyste.ms: Awesome
An open API service indexing awesome lists of open source software.
awesome-security-GRC
Curated list of resources for security Governance, Risk Management, Compliance and Audit professionals and enthusiasts (if they exist).
https://github.com/Arudjreis/awesome-security-GRC
- (COSO) - Risk-Management-Applying-the-COSO-ERM-Framework.pdf).
- Fair
- ISO/IEC JTC 1/SC 27
- ISO 31000
- ISO 31000 Risk management – Guidelines
- ISO 31000:2019 Risk Management – Risk Assessment Techniques
- ISO 31022:2020 Risk Management — Guidelines for the management of legal risk
- ISO/FDIS 31030 Travel Risk Management — Guidance for organizations
- ISO/AWI 31050 – Guidance for managing emerging risks to enhance resilience
- ISO/DIS 31073 Risk Management – Vocabulary
- ISO/TC 262
- NIST Risk Management Framework - information-security-modernization-act).
- NIST Special Publications 800-53 revision 5 - 53*B*](https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53B.pdf) describe the control baselines.
- Special Publication 800-37: Risk Management Framework for Information Systems and Organizations: A System Life Cycle Approach for Security and Privacy
- Special Publication 800-39: Managing Information Security Risk: Organization, Mission, and Information System View
- Special Publication 800-30 Rev. 1: Guide for Conducting Risk Assessments
- Special Publication 800-53A: Assessing Security and Privacy Controls in Federal Information Systems and Organizations: Building Effective Assessment Plans
- Special Publication 800-161: Supply Chain Risk Management Practices for Federal Information Systems and Organizations
- OCTAVE method
- Rapid Risk Analysis (RRA) methodology
- Threat Assessment and Remediation Analysis (TARA)
- *Comply*
- riskquant
- SOX
- GDPR
- PCI-DSS
- HIPAA
- ISO 27001
- SOC2
- FedRAMP
- FISMA
- NIST SP 800-53 Rev. 5
- NIST SP 800-171 Rev. 2
- NIST CSF
- **Security Risk Management**, *Evan Wheeler*, 2011
- **Measuring and Managing Information Risk**, *Jack Freund & Jack Jones*, 2014
- **How to Measure Anything in Cybersecurity Risk**, *Douglas Hubbard & Richard Seiersen*, 2016
- **Transformational Security Awareness**, *Perry Carpenter*, 2019
- **Foundations of Information Security**, *Jason Andress*, 2019
- **ISO 27001 controls – A guide to implementing and auditing**, *Bridget Kenyon*, 2019
- **IT Auditing Using Controls to Protect Information Assets**, *Mike Kegerreis, Mike Schiller and Chris Davis*, 2019
- **A Leader's Guide to Cybersecurity**, *Thomas J. Parenty and Jack J. Domet*, 2019
- **Rational Cybersecurity for Business: The Security Leaders' Guide to Business Alignment**, *Dan Blum*, 2020
- **The Cybersecurity Manager's Guide**, *Todd Barnum*, 2021
- great foundational talk
- 80 videos focus on Risk Management and Cyber Risk Quantification,
- Quantitative Cyber Risk Analysis
- this one
- ***Ryan McGeehan***
- *waaaay*
- ***Phil Venables***
- *Compliance vs. Security*
- Common Control Framework
- introduced scalability by creating **four major roles** - cloud environment**](https://medium.com/adobetech/enabling-compliance-and-governance-at-scale-in-a-multi-cloud-environment-82847ba5d341)
- Part I - the-common-controls-framework-part-ii-d010bea9bcc4). Adobe as a major SaaS provider has to have a Tech GRC program that scales accordingly and these two articles introduce the **4-layer model** used to automate security compliance
- **Strategic Technology Initiatives** - read
- this podcast
- **DevOps vs. Compliance, A Guide to Having it All**
- **Part 1**
- **Part 2**
- **Part 3**
- **Part 4** - edge approach to auditors and why agility and compliance CAN live in harmony :)
- *Troy Fine*
- *AJ Yawn*
- *Aron Lange*
- *Jacob Horne*
- *Ayoub Fandi* - native GRC focus.
- *Minimslist Risk Management*
- *The SecureWorld Sessions*
- *Cloud Security Podcast*
- *Security & Compliance Weekly* - Hosted by Jeff Man, Scott Lyons and Josh Marpet
- *Risk, Governance and Cyber Compliance* - Hosted by Dr. Bill Souza
- *The GRC Podcast* - Hosted by Mark Graziano
- **Getting Over Our "Security ≠ Compliance" Obsession**, *CISO-Security Vendor Relationship Podcast* - Featuring David Spark, Mike Johnson and special guest Chris Hymes (Head of Infosec, Riot Games)
- **Is Governance the Most Important Part of GRC?**, *Defense in Depth Podcast* - Featuring David Spark, Allan Alford and special guest Mustapha Kebbeh (CISO, Brinks)
- **Should Risk Lead GRC?**, *Defense in Depth Podcast* - Featuring David Spark, Allan Alford and special guest Marnie Wilking (Head of Security and Technology Risk Management, Wayfair)
- **IT Governance**, *CISO Tradecraft Podcast* - Featuring G Mark Hardy and Ross Young
- **Cyber Frameworks**, *CISO Tradecraft Podcast* - Featuring G Mark Hardy and Ross Young
- the only resource you'll need